Inbound SSH Connection To Vulnerable XZ Machine : CVE-2024-3094 Exploits

This KQL query can be used to detect post exploitation activities related to CVE-2024-3094. This vulnerability is related to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1.

Multiple sources suggest that the malicious code is ingested in functions that SSHD leverages to bypass authentication features, this is yet to be confirmed.

If you only want to list devices with the vulnerable version use:

DeviceTvmSoftwareInventory
| where SoftwareName has "xz"
| where SoftwareVersion has "5.6"
| distinct DeviceName

Defender For Endpoint

let VulnerableXZDevices = DeviceTvmSoftwareInventory
    | where SoftwareName has "xz"
    | where SoftwareVersion has "5.6"
    | distinct DeviceId;
DeviceNetworkEvents
| where DeviceId in (VulnerableXZDevices)
| where ActionType == "InboundConnectionAccepted"
| where InitiatingProcessFileName contains "ssh"
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)

Sentinel

let VulnerableXZDevices = DeviceTvmSoftwareInventory
    | where SoftwareName has "xz"
    | where SoftwareVersion has "5.6"
    | distinct DeviceId;
DeviceNetworkEvents
| where DeviceId in (VulnerableXZDevices)
| where ActionType == "InboundConnectionAccepted"
| where InitiatingProcessFileName contains "ssh"
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)